Anish's Notebook

 string[] scopes = new string[] { "https://graph.microsoft.com/.default" };             string clientId = "";             string tenantId = "";             string secret = "";                        var options = new TokenCredentialOptions             {                 AuthorityHost = AzureAuthorityHosts.AzurePublicCloud             };             // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential             try             {                 var clientSecretCredential = new ClientSecretCredential(                        ...

 Using Ms Graph Rest API's Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see  Permissions . Permission type Permissions (from least to most privileged) Delegated (work or school account) AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Delegated (personal Microsoft account) Not supported. Application AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Create 2 app registrations. App role owner will contain the app role that will be assigned to a service principal. The  reader role in approleowner will be added to the approlesubscriber Setup postman to use the Oauth auth flow to get a token for MS Graph. ClientId:   Application (client) ID for approlesubscrib...

 1. Create a VNET with 2 subnets 2. Create a service endpoint policy. That enables us to specify which particular storage account to connect to. This is currently enabled for storage accounts alone. Otherwise as part of service endpoints we can specify the resource provider alone and not a specific resource. We can specify this service endpoint policy while creating a service endpoint. Only storage account allow service endpoint policies as of now. If we notice then selecting cosmos db or any other service other than storage will not have the ability to accept service endpoint policies. As mentioned microsoft.storage allows us to add service endpoint policies. Thus we can specify a particular resource within a provider This is 1 way of enabling service endpoints. Or we can directly go to the storage account and from the networking tab select Sub1. This will automatically configure service endpoints and will add a service endpoint policy that enables the resource to connect to the s...

We will create a storage account and try to enable service endpoints in it. Such that the storage account can be accessed only inside the specified network. So we create a VNET and restrict access to components inside the VNET.   1. We create a storage account and create a container and upload an image to the blob container.  2. Next we create a VNET and add 2 subnets.  3. We then enable networking on the storage account by traffic only from the first subnet.  This will enable service endpoints in the subnet Note that the second subnet doesnt have a service endpoint configured. So access is specific to a VNET and a subnet inside it (not to all subnets in it). 4. Then we try to view the uploaded blob in the browser (wont work).  5. Then we create a VM and then add it to the subnet that has access to the storage account..  6. Inside the VM if we try to access the same blob we find that we are able to view the image. 7. The same storage account cannot be ...

Application security groups Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. To better understand application security groups, consider the following example: In the previous picture,  NIC1  and  NIC2  are members of the  AsgWeb  application security group.  NIC3  is a member of the  AsgLogic  application security group.  NIC4  is a member of the  AsgDb  application security group. Though each network interface in this example is a member of only one network security group, a network interface can be a member of multiple app...